Analysis

  • max time kernel
    145s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2024 01:03

General

  • Target

    2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe

  • Size

    147KB

  • MD5

    0ebb815bbd3f1b249d4a86d18e5f064b

  • SHA1

    474fea9f172a6d6857a133755953330ae802409b

  • SHA256

    6fa257b42aa0e3323fbf6ca0026f331fe58447e22224d2f0ea8e533bd9eed096

  • SHA512

    a427c4d7ed3d9565c9051801ea6d38ffbd293b2dee0ad54e71b573bfee5030de4c9ca7132373ce90a051201d1c01e07990a877c07e5ab6c73017140e580a24ba

  • SSDEEP

    1536:8zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD4056A76O4xEwyamTS8GHViXqWB:zqJogYkcSNm9V7Drl7Z4q3S4XqWbJT

Malware Config

Extracted

Path

C:\dZGlueXae.README.txt

Ransom Note
######################################################################################## YOUR COMPANY NETWORK HAS BEEN PENETRATED All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. YOUR PERSONAL ID: iwy8hbK5HseAftoI3culO2J96rYqV1LNandZ4zQU0GmXPxkSDWM7EFgp Contact us, use the email: [email protected] [email protected] IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Signatures

  • Renames multiple (182) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:4504
    • C:\ProgramData\D802.tmp
      "C:\ProgramData\D802.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4928
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D802.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2992
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:4740
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3832
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{A35AD049-2C80-41D7-9634-B9327B036FC3}.xps" 133717862389160000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\CCCCCCCCCCC

      Filesize

      129B

      MD5

      52f273f3fa372d95fbb4756f56759ec9

      SHA1

      4bd27bc0e3b2d6a5ddd0d958a251c4a31680cff0

      SHA256

      69512b5fe0851f9255b51a3cd4be070fc0e6a6ff2b1dad888efbaa0b106ba3c2

      SHA512

      ede3b197c7f87c551ac29e93dee4a0970d5efa858537b833af5efd5615be64d30c4c3e630d991d484e6ce17a22fadcfd95bc8ab20933e88e9e8ca1861f532e49

    • C:\ProgramData\D802.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

      Filesize

      147KB

      MD5

      35d5887a0deb21c8f40cc8dcdfb25ac7

      SHA1

      10a87034b8923fff695b3e09adfb7895479c0571

      SHA256

      781237ded944e806a09a77d3fec1426885146933110580f67250cfbda6763750

      SHA512

      7e7bd4f4fd27474ee786e7070a134404977808789b57bd58c61f3e05067dbcf554dd4662757f8e17e628c06e67b312bc2cc4204641fae7642ce06dacb85ddeab

    • C:\Users\Admin\AppData\Local\Temp\{0406CC86-F0EE-4460-A52F-026C26BA129E}

      Filesize

      4KB

      MD5

      2170c4f8475696642a5c71e4c32a6188

      SHA1

      520c50e1efd9c346ddad381f06b179cde29c0d37

      SHA256

      a376bffcb8d792b98e215828ca1fa992bb53b6c893853ea1e34330f48b77da09

      SHA512

      fad92e6b58c6b5d3c6ee880c85d3b78fd5c5a10de7e9e8e536053b42fb6fc5a8acc3c0f9c283cb7beadcb5ea5b2e2ffb2bd9562ff9cdfdc347326cf513cdc870

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

      Filesize

      4KB

      MD5

      8ec8828c09340ed64801d79f111cdb58

      SHA1

      1c469668489d50d46ebb002a4044a353b195443c

      SHA256

      03c2228e7328afa06e136c74ab41c3de26b9a2ba0b78c4e59f9159a36a1b07a2

      SHA512

      9cb3f421cfcad36093e0aed8229ebd853363ce152c509ab9ad433c75fb17f85770b8b515d8cd739d2aea6f7c8673c1f4a0651a9a8f5595948d1ab7f43a888831

    • C:\dZGlueXae.README.txt

      Filesize

      1KB

      MD5

      194200178a1b5be9df886d8b4820dc97

      SHA1

      6241b893856c6ff3b43ab900f06a1d34d52b23ee

      SHA256

      50f815a145695bc049ba880c4583dc3417a29b8a94613918ebefb0e5be16eb75

      SHA512

      c67d782579620c8438b4557b0f6a2c806880eba210ac034d2b46189bae7aea167c871582ce00adead3cd6341c5240cb6f820318e91d58a909550106ad6eba9bc

    • F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      ff71ccc7cc8754c0e38539c5d089cf47

      SHA1

      648d303eb3adb0e2317021d64176a950d8bb4c2f

      SHA256

      2d1edd60537317858a1bb31869460414b1a6c23abf36205edcdea9027ed1b0c7

      SHA512

      9a583efd788bd31f891baada72cbeab0f5d48e77d606edf149f0905a7c79d792a1f4470d4b9a85c970509951160539199528c1e835460535316c476bf87c6c58

    • memory/2128-333-0x00000000028B0000-0x00000000028C0000-memory.dmp

      Filesize

      64KB

    • memory/2128-334-0x00000000028B0000-0x00000000028C0000-memory.dmp

      Filesize

      64KB

    • memory/2128-332-0x00000000028B0000-0x00000000028C0000-memory.dmp

      Filesize

      64KB

    • memory/2128-2-0x00000000028B0000-0x00000000028C0000-memory.dmp

      Filesize

      64KB

    • memory/2128-1-0x00000000028B0000-0x00000000028C0000-memory.dmp

      Filesize

      64KB

    • memory/2128-0-0x00000000028B0000-0x00000000028C0000-memory.dmp

      Filesize

      64KB

    • memory/4760-354-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

      Filesize

      64KB

    • memory/4760-358-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

      Filesize

      64KB

    • memory/4760-351-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

      Filesize

      64KB

    • memory/4760-382-0x00007FFCDFC80000-0x00007FFCDFC90000-memory.dmp

      Filesize

      64KB

    • memory/4760-383-0x00007FFCDFC80000-0x00007FFCDFC90000-memory.dmp

      Filesize

      64KB

    • memory/4760-349-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

      Filesize

      64KB

    • memory/4760-350-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

      Filesize

      64KB